Archive

The keystone to good security hygiene is limiting your attack surface. Attack surface reduction is a technique to remove or constrain exploitable behaviors in your systems. In this blog, we discuss the two attack surface reduction rules introduced in the most recent release of Windows and cover suggested deployment methods and best practices.

Software applications may use known, insecure methods, or methods later identified as useful for malware exploits. For example, macros are an old and powerful tool for task automation. However, macros can spawn child processes, invoke the Windows API, and perform other tasks which render them exploitable by malware.

Windows Defender Advanced Threat Protection (Windows Defender ATP) enables you to take advantage of attack surface reduction rules that allow you to control exploitable threat vectors in a simple and customizable manner. In previous releases of Windows we launched rules that let customers disallow remote process creation through WMI or PSExec and block Office applications from creating executable content. Other rules include the ability to disable scripts from creating executable content or blocking file executions unless age and prevalence criteria are met.

The latest attack surface reduction rules in Windows Defender ATP in latest re based on system and application vulnerabilities uncovered by Microsoft and other security companies. Below we describe that these rules do. More importantly, we outline recommendations for deploying these rules in enterprise environments.

Block Office communication apps from creating child processes

The Block Office Communication Applications from Creating Child Processes rule protects against attacks that attempt to abuse the Outlook email client. For example, in late 2017 Sensepost demonstrated the DDEAUTO attack, which was later discovered to be applicable to Outlook as well. In this case, this attack surface reduction rule disables the creation of another process from Outlook this means that DDE still works and data can be exchanged by two running applications, but new processes cannot be created. It is important to note that DDE, and DDEAUTO, are legacy, inter-process communication features available since 1987. Many line-of-business applications rely on this capability. If, for example, DDE is not used in your organization, or if you want to restrict the capability of DDE to already running processes, this can be configured by using the AllowDDE registry key for Office.

While rare, if your organizations applications utilize creating child processes from within Office communication applications, this attack surface reduction rule provides protection by allowing legitimate processes with exclusions. By limiting child processes that can be launched by Outlook to only processes with well-defined functionality, this attack surface reduction rule confines a potential exploit or a social engineering threat from further infecting or compromising the system.

Block Adobe Reader from creating child processes

The second rule weve introduced, Block Adobe Reader from Creating Child Processes limits the ability of a threat in a malicious PDF file from launching additional payloads, either embedded in a PDF file or downloaded by a threat, irrespective of how the malicious code in the PDF gained code execution either by social engineering or by exploiting an unknown vulnerability.

While there may be legitimate business reasons for a business PDF file to create a child process through scripting, this is a behavior that should be discouraged as it is prone to misuse. Our data indicates few legitimate applications utilize this technique. The Block Adobe Reader from Creating Child Processes rule disables child process creation in PDF content except for those files excluded by the IT administrator.

Recommendations on exclusions and deployment

Attack surface reduction rules close frequently used and exploitable behaviors in the operating system and in apps. However, legitimate line-of-business and commercial applications have been written utilizing these same behaviors. To enable non-malicious applications critical to your business, exclusions can be used if they are flagged as violating an attack surface reduction rule. Core Microsoft components, such as operating system files or Office applications, reside in a global exclusion list maintained as part of Defender. These do not need exclusions.

Attack surface reduction rules have three settings: off, audit, and block. Our recommended practice to deploy attack surface reduction rules is to first implement the rule in audit mode.

Audit mode will identify exploitable behavior use but will not block the behavior. With audit, if you have a line of business application utilizing a behavior that is exploitable, the invoking application can be identified, and an exclusion added.

When audit telemetry reveals that line-of-business applications are no longer being impacted by the attack surface reduction rule, the attack surface reduction rule setting can be switched to block. This will protect against malware exploitation of the behavior.

For larger enterprises, Microsoft recommends deploying attack surface reduction rules in rings. Rings are groups of machines radiating outward like non-overlapping tree rings. When the inner ring is successfully deployed with required exclusions, the next ring can be deployed. One of the ways you can create a ring process is by creating specific groups of users or devices in Intune or with a Group Policy management tool.

Monitor attack surface reduction event telemetry

Once a rule is deployed in block mode, it is important to monitor corresponding event telemetry. This data contains important information. For example, an application update may now require an exclusion or multiple alerts from a user clicking on email executable attachments can indicate additional training is required. Attack surface reduction rule events may be from a single, random malware breach, or your organization may be the object of a new, persistent attack attempting to utilize a vector covered by attack surface reduction rules suddenly producing a large increase in related attack surface reduction-rule block events.

Where to get more information and support

If you havent deployed any attack surface reduction rules, take a look at our documentation and discover how you can better protect your enterprise.

Minimizing your attack surface can yield large paybacks in decreased threat vulnerability and in allowing the security operations team to focus on other threat vectors.

As with all security features, enable attack surface reduction rules in a methodical, controlled manner that allows legitimate business applications to be excluded from analysis.

The keystone to good security hygiene is limiting your attack surface. Attack surface reduction is a technique to remove or constrain exploitable behaviors in your systems. In this blog, we discuss the two attack surface reduction rules introduced in the most recent release of Windows and cover suggested deployment methods and best practices.

Software applications may use known, insecure methods, or methods later identified as useful for malware exploits. For example, macros are an old and powerful tool for task automation. However, macros can spawn child processes, invoke the Windows API, and perform other tasks which render them exploitable by malware.

Windows Defender Advanced Threat Protection (Windows Defender ATP) enables you to take advantage of attack surface reduction rules that allow you to control exploitable threat vectors in a simple and customizable manner. In previous releases of Windows we launched rules that let customers disallow remote process creation through WMI or PSExec and block Office applications from creating executable content. Other rules include the ability to disable scripts from creating executable content or blocking file executions unless age and prevalence criteria are met.

The latest attack surface reduction rules in Windows Defender ATP in latest re based on system and application vulnerabilities uncovered by Microsoft and other security companies. Below we describe that these rules do. More importantly, we outline recommendations for deploying these rules in enterprise environments.

Block Office communication apps from creating child processes

The Block Office Communication Applications from Creating Child Processes rule protects against attacks that attempt to abuse the Outlook email client. For example, in late 2017 Sensepost demonstrated the DDEAUTO attack, which was later discovered to be applicable to Outlook as well. In this case, this attack surface reduction rule disables the creation of another process from Outlook this means that DDE still works and data can be exchanged by two running applications, but new processes cannot be created. It is important to note that DDE, and DDEAUTO, are legacy, inter-process communication features available since 1987. Many line-of-business applications rely on this capability. If, for example, DDE is not used in your organization, or if you want to restrict the capability of DDE to already running processes, this can be configured by using the AllowDDE registry key for Office.

While rare, if your organizations applications utilize creating child processes from within Office communication applications, this attack surface reduction rule provides protection by allowing legitimate processes with exclusions. By limiting child processes that can be launched by Outlook to only processes with well-defined functionality, this attack surface reduction rule confines a potential exploit or a social engineering threat from further infecting or compromising the system.

Block Adobe Reader from creating child processes

The second rule weve introduced, Block Adobe Reader from Creating Child Processes limits the ability of a threat in a malicious PDF file from launching additional payloads, either embedded in a PDF file or downloaded by a threat, irrespective of how the malicious code in the PDF gained code execution either by social engineering or by exploiting an unknown vulnerability.

While there may be legitimate business reasons for a business PDF file to create a child process through scripting, this is a behavior that should be discouraged as it is prone to misuse. Our data indicates few legitimate applications utilize this technique. The Block Adobe Reader from Creating Child Processes rule disables child process creation in PDF content except for those files excluded by the IT administrator.

Recommendations on exclusions and deployment

Attack surface reduction rules close frequently used and exploitable behaviors in the operating system and in apps. However, legitimate line-of-business and commercial applications have been written utilizing these same behaviors. To enable non-malicious applications critical to your business, exclusions can be used if they are flagged as violating an attack surface reduction rule. Core Microsoft components, such as operating system files or Office applications, reside in a global exclusion list maintained as part of Defender. These do not need exclusions.

Attack surface reduction rules have three settings: off, audit, and block. Our recommended practice to deploy attack surface reduction rules is to first implement the rule in audit mode.

Audit mode will identify exploitable behavior use but will not block the behavior. With audit, if you have a line of business application utilizing a behavior that is exploitable, the invoking application can be identified, and an exclusion added.

When audit telemetry reveals that line-of-business applications are no longer being impacted by the attack surface reduction rule, the attack surface reduction rule setting can be switched to block. This will protect against malware exploitation of the behavior.

For larger enterprises, Microsoft recommends deploying attack surface reduction rules in rings. Rings are groups of machines radiating outward like non-overlapping tree rings. When the inner ring is successfully deployed with required exclusions, the next ring can be deployed. One of the ways you can create a ring process is by creating specific groups of users or devices in Intune or with a Group Policy management tool.

Monitor attack surface reduction event telemetry

Once a rule is deployed in block mode, it is important to monitor corresponding event telemetry. This data contains important information. For example, an application update may now require an exclusion or multiple alerts from a user clicking on email executable attachments can indicate additional training is required. Attack surface reduction rule events may be from a single, random malware breach, or your organization may be the object of a new, persistent attack attempting to utilize a vector covered by attack surface reduction rules suddenly producing a large increase in related attack surface reduction-rule block events.

Where to get more information and support

If you havent deployed any attack surface reduction rules, take a look at our documentation and discover how you can better protect your enterprise.

Minimizing your attack surface can yield large paybacks in decreased threat vulnerability and in allowing the security operations team to focus on other threat vectors.

As with all security features, enable attack surface reduction rules in a methodical, controlled manner that allows legitimate business applications to be excluded from analysis.

Digital transformation and the transition to a modern workplace encourage employee engagement, productivity, and collaboration. This transition poses major challenges in protecting sensitive information. In the modern workplace, the perimeter between the corporate network and the cloud are fading. Sensitive data constantly travels between different locations and is often shared with others both inside and outside the organization. This significantly increases the attack surface and makes identifying, protecting, and monitoring sensitive data challenging.

Additionally, the threat landscape is evolving. External adversaries and insider threats are becoming more sophisticated and dangerous. Data breaches are at an all-time high in terms of both the number of breaches and the overall severity and business impact. As a result, governments and regulators are instituting stricter regulations with unprecedented fines for not properly protecting and governing sensitive information.

Traditional solutions that put walls around your network perimeter do not suffice. You are at risk of over-protecting where you shouldnt, degrading employee productivity by interrupting legitimate workflows, and under-protecting where you should when sensitive data is being exfiltrated.

Consider the following principles when shaping your information protection strategy:

Visibility You cant protect what you cant see. Strive to achieve complete visibility into sensitive data across all repositories.

Data-centric protection Protect your data, not your perimeter. Apply information protection capabilities that are content-aware to improve protection coverage and reduce end-user friction due to unnecessary interruptions. Make sure sensitive data stays protected wherever it goes; this is especially important in a modern workplace, where data is constantly on the move.

Assume breach Sophisticated attackers, external adversaries, or insider threats will find a way around any wall you put in front of them. Implement post-breach techniques that constantly monitor sensitive data usage in your organization, correlate this data to other suspicious behaviors, and allow you to respond and mitigate risks.

The endpoint is a key point of control when implementing an effective information protection strategy based on these principles. Endpoints are often the entry for sophisticated attacks conducted by an external adversary or an insider threat. Combine it with the fact that endpoints are usually the darkest spot in the enterprise for security and compliance teams, and you end up with a critical weakness in the enterprise information security posture.

Windows Defender ATP is built into the OS, removing the need for deployment and agent maintenance, ensuring that end-user experience is not impacted when performing legitimate business workflows. No on-premises infrastructure or endpoint agents are required. The seamless integration with Azure Information Protection reporting and management experience ensures that data administrators can continue to leverage their existing Azure Information Protection experience to manage these new capabilities.

Discover sensitive documents on Windows devices

Windows Defender ATPs built-in sensors discovers labeled data on all devices monitored by the Windows Defender ATP service. This data is then seamlessly plugged into the Azure Information Protection reporting experience and enriched with labeled documents discovered on Windows devices. This allows existing Azure Information Protection customers to get instant visibility into sensitive data on devices using the same dashboard and analytics tools they use today.

It doesnt end there. Being an endpoint protection suite, Windows Defender ATP monitors and calculates device machine risk level an aggregated indicator of active security threats on each device. This data is also shared with Azure Information Protection reports, allowing data administrators to proactively understand whether sensitive corporate data resides on any compromised devices. To understand why the device is compromised, all it takes is a single click in the Azure Information Protection dashboard to be directed to that devices record in Windows Defender ATP, where the administrator can investigate and mitigate detected security threats.

Turning on this integration is a matter of a single flip of a switch in the advanced features settings page in Windows Defender Security Center. Windows endpoints will start discovering labeled documents immediately.

It all starts from the Office 365 Security and Compliance Center (SCC), Microsofts unified management console for information protection, where you can manage information protection configuration settings on Windows devices. As part of the label policy, you can define whether files with a specific label applied will be protected by Windows Defender ATP.

Once that policy is in place, Windows Defender ATP will start protecting documents with a matching label. Protection is applied by automatically enabling Windows Information Protection, which prevents unallowed client apps, cloud apps, and network locations from accessing protected files and their content, reducing the risk of data leak.

In addition, Windows Defender ATP integrates sensitive data awareness into Windows Defender Security Center. Each incident or alert raised in Windows Defender Security Center includes a data sensitivity attribute that is generated by aggregating the sensitivity of all the labeled files discovered on devices that are affected by the incident. This allows security analysts to prioritize incident response based on data sensitivity. When investigating an incident, security analysts can use data sensitivity context across the entire investigation from the incident dashboard, through analyzing sensitive data exposure of specific machines, all the way to Advanced hunting.

Digital transformation and the transition to a modern workplace encourage employee engagement, productivity, and collaboration. This transition poses major challenges in protecting sensitive information. In the modern workplace, the perimeter between the corporate network and the cloud are fading. Sensitive data constantly travels between different locations and is often shared with others both inside and outside the organization. This significantly increases the attack surface and makes identifying, protecting, and monitoring sensitive data challenging.

Additionally, the threat landscape is evolving. External adversaries and insider threats are becoming more sophisticated and dangerous. Data breaches are at an all-time high in terms of both the number of breaches and the overall severity and business impact. As a result, governments and regulators are instituting stricter regulations with unprecedented fines for not properly protecting and governing sensitive information.

Traditional solutions that put walls around your network perimeter do not suffice. You are at risk of over-protecting where you shouldnt, degrading employee productivity by interrupting legitimate workflows, and under-protecting where you should when sensitive data is being exfiltrated.

Consider the following principles when shaping your information protection strategy:

Visibility You cant protect what you cant see. Strive to achieve complete visibility into sensitive data across all repositories.

Data-centric protection Protect your data, not your perimeter. Apply information protection capabilities that are content-aware to improve protection coverage and reduce end-user friction due to unnecessary interruptions. Make sure sensitive data stays protected wherever it goes; this is especially important in a modern workplace, where data is constantly on the move.

Assume breach Sophisticated attackers, external adversaries, or insider threats will find a way around any wall you put in front of them. Implement post-breach techniques that constantly monitor sensitive data usage in your organization, correlate this data to other suspicious behaviors, and allow you to respond and mitigate risks.

The endpoint is a key point of control when implementing an effective information protection strategy based on these principles. Endpoints are often the entry for sophisticated attacks conducted by an external adversary or an insider threat. Combine it with the fact that endpoints are usually the darkest spot in the enterprise for security and compliance teams, and you end up with a critical weakness in the enterprise information security posture.

Windows Defender ATP is built into the OS, removing the need for deployment and agent maintenance, ensuring that end-user experience is not impacted when performing legitimate business workflows. No on-premises infrastructure or endpoint agents are required. The seamless integration with Azure Information Protection reporting and management experience ensures that data administrators can continue to leverage their existing Azure Information Protection experience to manage these new capabilities.

Discover sensitive documents on Windows devices

Windows Defender ATPs built-in sensors discovers labeled data on all devices monitored by the Windows Defender ATP service. This data is then seamlessly plugged into the Azure Information Protection reporting experience and enriched with labeled documents discovered on Windows devices. This allows existing Azure Information Protection customers to get instant visibility into sensitive data on devices using the same dashboard and analytics tools they use today.

It doesnt end there. Being an endpoint protection suite, Windows Defender ATP monitors and calculates device machine risk level an aggregated indicator of active security threats on each device. This data is also shared with Azure Information Protection reports, allowing data administrators to proactively understand whether sensitive corporate data resides on any compromised devices. To understand why the device is compromised, all it takes is a single click in the Azure Information Protection dashboard to be directed to that devices record in Windows Defender ATP, where the administrator can investigate and mitigate detected security threats.

Turning on this integration is a matter of a single flip of a switch in the advanced features settings page in Windows Defender Security Center. Windows endpoints will start discovering labeled documents immediately.

It all starts from the Office 365 Security and Compliance Center (SCC), Microsofts unified management console for information protection, where you can manage information protection configuration settings on Windows devices. As part of the label policy, you can define whether files with a specific label applied will be protected by Windows Defender ATP.

Once that policy is in place, Windows Defender ATP will start protecting documents with a matching label. Protection is applied by automatically enabling Windows Information Protection, which prevents unallowed client apps, cloud apps, and network locations from accessing protected files and their content, reducing the risk of data leak.

In addition, Windows Defender ATP integrates sensitive data awareness into Windows Defender Security Center. Each incident or alert raised in Windows Defender Security Center includes a data sensitivity attribute that is generated by aggregating the sensitivity of all the labeled files discovered on devices that are affected by the incident. This allows security analysts to prioritize incident response based on data sensitivity. When investigating an incident, security analysts can use data sensitivity context across the entire investigation from the incident dashboard, through analyzing sensitive data exposure of specific machines, all the way to Advanced hunting.

MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, as part of the testing, all protection and prevention features were turned off. In the case of Windows Defender ATP, this meant turning off blocking capabilities like hardware-based isolation, attack surface reduction, network protection, exploit protection, controlled folder access, and next-gen antivirus. The test showed that, by itself, Windows Defender ATPs EDR component is one of the most powerful detection and investigation solutions in the market today.

Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework, widely regarded today as the most comprehensive catalog of attacker techniques and tactics. MITRE closely partnered with participating security vendors in designing and executing the evaluation, resulting in a very collaborative and productive testing process.
We like participating in scientific and impartial tests because we learn from them. Learning from independent tests, like listening to customers and conducting our own research, is part of our goal to make sure that Windows Defender ATP is always ahead of threats and continues to evolve.

Overall, the results of the MITRE evaluation validated our investments in continuously enriching Windows Defender ATPs capabilities to detect and expose attacker techniques. Below we highlight some of the acute attacker techniques that Windows Defender ATP effectively detected during the MITRE testing.

Windows Defender ATP correlates security signals across endpoints and identities. In the case of the APT3 emulation, signals from Azure Advanced Threat Protection helped expose and enrich the detection of the account discovery behavior. This validates the strategic approach behind Microsoft Threat Protection: the most comprehensive protection comes from sharing rich telemetry collected from across the entire attack chain.

Windows Defender ATPs Antimalware Scan Interface (AMSI) sensors also proved especially powerful, providing rich telemetry on the latter stages of the attack emulation, which made heavy use of malicious PowerShell scripts. This test highlighted the value of transparency: the AMSI interface enabled deep visibility into the PowerShell used in each attacker technique. Advanced machine learning-based detection capabilities in Windows Defender ATP use this visibility to expose malicious scripts.

The MITRE results represent EDR detection capabilities, which surface malicious and other anomalous activities. In actual customer environments, Windows Defender ATPs preventive capabilities, like attack surface reduction and next-gen protection capabilities, would have blocked many of the attack techniques at the onset. In addition, investigation and hunting capabilities enable security operations personnel to correlate alerts and incidents to enable holistic response actions and build wider protections.

Windows Defender ATP’s best-in-class detection capabilities, as affirmed by MITRE, is amplified across Microsoft solutions through Microsoft Threat Protection, a comprehensive, integrated protection for identities, endpoints, user data, cloud apps, and infrastructure. To run your own evaluation of how Windows Defender ATP can help protect your organization and let you detect, investigate, and respond to advanced attacks, sign up for a free Windows Defender ATP trial.